Integrations#

Skalio ID is integrated with other services.

Image

Message Broker#

Skalio ID communicates with other services via a message broker, by exchanging asynchronous JMS messages.

The following queues are used:

  • com.skalio.id.email: Skalio ID sends an asynchronous task to itself to send an email.

The following topics are used:

  • com.skalio.id.events: Skalio ID publishes events that other service may need to react to, but which don't require any responses. Examples:
    • Token blacklisting
    • Account termination and data removal

Using Skalio ID for authentication#

In order to use Skalio ID for authentication, a service can accept ID tokens issued by Skalio ID. Skalio ID will verify the credentials of a person and issue a signed ID token. The subject field contains the unique ID of the person, as handled by Skalio ID.

The service must verify the integrity of the ID token by discovering and fetching the JSON Web Key Set. Once verified, the subject field can be used to match against the local user database. If necessary, an entry for person can be auto-provisioned using other information available in the token.

Typically, a service would then issue short-lived access tokens, referencing the local user database entry. The person must then provide the access token when interacting with the service.

In order to end a session, the person sends a logout request to Skalio ID. The jti, the unique ID of the ID token, is blacklisted within Skalio ID. Skalio ID also informs other registered backend services, requesting them to blacklist it. Subsequently, the verification of the ID token will fail everywhere.

Image

Implementation#

The skp-common library provides functionality to facilitate this integration:

  • Implement com.skalio.common.auth.ITokenBlacklist to store and retrieve blacklisted token jtis.
    • At runlevel 3, the com.skalio.common.auth.BlacklistSyncListener will automatically subscribe to the correct broker queue and store incoming blackist requests.
  • Implement com.skalio.common.auth.skalioid.ISkalioIdConfiguration and return the URL to the Skalio ID OpenID Connect discovery endpoint.
    • This enables the com.skalio.common.auth.skalioid.DefaultSkalioIdIntegration to discover the OIDC provider metadata and fetch the JSON Web Key Set.
  • Annotate any REST endpoint that requires a valid Skalio ID token with @com.skalio.common.auth.filter.RequireValidIDToken.
    • This will bind the endpoint to a filter that verifies the incoming token and publishes the com.skalio.common.auth.SkalioPrincipal in the SecurityContext.
    • If the token verification fails, the filter will abort the request with an UnauthorizedException.